Stronger safeguards needed for e-health records, says CDT

The Center for Democracy and Technology has published a policy paper on the …

My attention was directed this morning to a rather interesting policy paper from the Center for Democracy and Technology (CDT), a think tank that works on "keeping the Internet open, innovative, and free." The paper looks at some of the civil liberty issues surrounding health IT, and what should be done to maximize patient safety, privacy, and confidence.

The white paper lists a series of core principles for privacy, along the lines of those put forth by the Markle Foundation's Connecting for Health project. It reads like a list of Dr. House's worst things in the world. Among other things, there should be an openness surrounding the collection of information, so a patient can find out what sort of information is being stored. Patients should be told why their data is being captured, along with a guarantee that the data would never be shared without consent or for unrelated purposes. Oversight and accountability need to be incorporated, along penalties for transgressions.

Reading the list of core principles, I'm struck by how similar they seem to the UK's Data Protection Act, and I can't see many (other than the aforementioned Dr. House) taking umbrage. They are also in keeping with other developments in health information policy, such as GINA, the recent law that bans genetic discrimination.

CDT also recommends against using central data storage, but instead spread across a ‘network of networks.' I'm envisaging this to mean keeping specialized test results on the computers of the labs that conducted them, which a primary care doctor wouldn't need to keep a copy of, but could just access as and when necessary.

Finally, CDT also stresses the importance of ensuring that accountability and oversight actually happen. HIPAA, the current law governing patient confidentiality, doesn't apply to every healthcare relationship, as some state or local organizations are not covered, and the pace of development in health IT means that new safeguards are needed.

The field looks set to expand from the records your general practitioner or hospital keep on you to include personal health IT platforms, such as those being worked on by Microsoft and Google. Currently, neither Microsoft nor Google's personal health IT offerings would fall under HIPAA, but both have signed up, along with other companies, to adopt the Markle Foundation's core principles. Individuals' health records can be assumed to be at least as sensitive as financial documents. The health IT industry will have to ensure confidence, privacy, and security are at least as good as those associated with online banking and e-commerce.